We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

China’s State Secrets Law and compliance issues for foreign companies

Though there are relatively few publicized instances where foreign companies (or their P.R.C. subsidiaries or joint ventures) or foreign individuals in China have formally been found to have run afoul of the Law of the P.R.C. on Guarding State Secrets(“State Secrets Law”)[1], the consequences of doing so are significant. Specifically, the Interpretation of the Supreme People’s Court on Several Issues Concerning the Application of Law for Trial of Cases of Stealing, Buying, or Unlawfully Supplying State Secrets or Intelligence for Entities outside of the Territory of China (“Interpretation”) notes that “[w]hoever steals, spies into, buys or unlawfully supplies state secrets or intelligence for entities outside of the Territory of China” can, under certain circumstances, be given a lengthy prison term or, potentially, in especially serious cases even the death sentence.[2] As such, foreign companies and individuals that may be dealing with state secrets in China should be very concerned regarding their duties and potential liabilities under the State Secrets Law.

The first question often posed by foreign companies doing business in China and concerned about potential state secrets issues is: “What is and what is not a state secret under the law?” The State Secrets Law in Article 9 provides certain broad categories for various matters, including but not limited to those involved in “national economic and social development” or “science and technology”.[3] As one can see, these two categories alone are very broadly defined and encompass a wide range of potential confidential information that could qualify as a state secret. As such, it is not simply the nature of the information, but equally important, the source of the information that determines whether it is a state secret.

When one looks at whether certain confidential information related to, say, “science and technology” qualifies as a state secret, the likelihood thereof will be related to which person or entity developed the information and/or who is funding the development of the information. Though there is no definitive rule, one view is that if the P.R.C. government has developed the information or funded the development of such scientific/technical information or controls the entity which developed/funded the development of the information and the information has commercial/strategic value, there is a very real likelihood that it may qualify as a state secret. Further increasing the likelihood of such information being a state secret is where it also impacts the “national economic and social development”, such as in the cases of, for instance, information related to environmental protection or the energy sector. All this said, a state secret only becomes such when it is duly classified and there are now improved guidelines established for those who carry out such classifications and how to treat the secrets once classified.

The ultimate authority for classification of state secrets in China resides with the National Administration for the Protection of State Secrets (“NAPSS”).[4] The NAPSS defines classification levels for state secrets (“top secret”, “secret”, and “confidential”, in descending order of importance to the state)[5] and how state secrets are to be classified and protected. Under the State Secrets Law, “organs” or “entities” can determine state secrets which they produce and classify them, though only under the strict guidance of the NAPSS and its provincial/local affiliates. The recently releasedRegulation on the Implementation of the Law of the People’s Republic of China on Guarding State Secrets (“Regulation”) goes into great detail on the relationship between the NAPSS and those organs/entities which may carry out state secret classification work.[6] This Regulation provides welcome guidance regarding the state secret classification process. It notes that certain organs/entities can classify state secrets, but it also provides additional details on how precisely such classification will be carried out, while making clear that the ultimate classification authority and decision-making resides with the NAPSS (and its affiliates).

For those foreign-controlled companies (such as P.R.C. subsidiaries or joint ventures) which work with state-affiliated entities, such as P.R.C. government research institutions or state-owned entities (“SOEs”), there may be situations where certain information is transferred, or is proposed to be transferred, where such information is classified as a state secret. Responsibility for protecting the secret lies with the originator, such as the SOE, but the recipients of these state secrets also have duties and obligations to protect the confidentiality of the secrets when received.

State secrets are supposed to be clearly marked on their “carriers” (such as on an electronic file or an actual paper file folder)[7] by the originator/classifier, but the Interpretation notes that liability can be upon those who “knows or should have known that the matter not marked with secret level”[8] was a state secret and treated the secret unlawfully. The fact that a “carrier” is unmarked though still containing a state secret does not absolve one of liability.

When dealing with information of the type noted above which may very well qualify as a state secret, the first step that a foreign-controlled company should take is to understand the duties and liabilities associated with the receipt of state secrets. Given such duties/liabilities, does it now still wish to receive the state secrets? If it is agreed that the state secrets are to be transferred, the recipient should work with and contract with the originating/classifying party to ensure that proper approvals are obtained for the transfer of the secrets, that carriers of the secrets are properly marked, and that proper procedures for transfer/storage of the secrets are adhered to by both sides.

That said, foreign-controlled companies, as potential recipients of state secrets, must meet certain requirements before they can receive state secrets. This goes to a question which a foreign company may raise: “Are we, through our P.R.C. subsidiary, allowed to receive state secrets?” Article 29 of the Regulation notes that:

“[t]o engage in any business involving state secrets, an enterprise or public institution shall satisfy the following conditions:

It is a legal person legally formed and existing for three years or more within the territory of the P.R.C., without any records or illegal acts or crimes.

Its staff members engaging in the business involving state secrets are of the nationality of the P.R.C.

It has sound secrecy rules, as well as a special office or person responsible for secrecy work.

Its sites, facilities, and equipment used for the business involving state secrets satisfy the secrecy provisions and standards of the state.

It has professional competency in the business involving state secrets.

Other conditions as set out by laws and administrative regulations and the state secrecy administrative department.”[9]

In essence, foreign companies and non-Chinese citizens are, absent approval from the NAPSS, not allowed to receive state secrets. And, even if the foreign company has a Chinese subsidiary which meets the Regulation’s above-noted requirements for formation, etc… no non-Chinese citizen employees of that subsidiary can have access to the state secrets (again, absent approval from the NAPSS). In such cases, it may be required to limit access to only Chinese citizens by setting up appropriate “firewalls”.

If approval is given for transfer of the state secrets to a foreign-controlled entity, the IT/Security systems of said entity would have to, ideally, be vetted by the NAPSS (through one of its designated institutions)[10] and appropriate processes and procedures would have to be in place. For instance, Article 24 of the State Secrets Law makes clear that it is not acceptable to “[c]onnect any secret-related computer or storage device to the Internet or any other public information network” or “[s]tore or process state secret information by using any computer or storage device which is not a secret-related computer or storage device”.[11] And, above all, the state secrets should not be transmitted outside of China absent NAPSS approval.[12] These and other security provisions of the State Secrets Law make clear that all state secrets must be vigilantly protected and that all necessary technical measures should be taken to ensure their security and confidentiality.

As foreign companies increasingly collaborate with Chinese entities which may hold state secrets, there may well be certain instances when approvals are obtained to share such secrets with foreign-controlled entities (such as with their Chinese subsidiaries). In such cases, foreign companies should not simply assume that the Chinese partner has all liability and responsibility for protecting the state secrets, as one can see under the State Secrets Law, the Regulation, and the Interpretation that they as recipient have duties and liabilities as well. And non-compliance with the State Secrets Law, as noted, can have very serious consequences. As this article only provides a basic overview on the topic, for those companies who will receive state secrets or believe that they may be receiving state secrets, as defined under the State Secrets Law, the first step should be to seek appropriate P.R.C. legal counsel and work with the originating/classifying entity and the relevant arm of the NAPSS to ensure that the receipt, storage, transfer, and usage of any state secrets are in compliance with the Law.

To view all formatting for this article (eg, tables, footnotes), please access the original here.